[go: up one dir, main page]

WO2005055516A1 - Procede et appareil permettant la certification de donnees par une pluralite d'utilisateurs utilisant une seule paire de cles - Google Patents

Procede et appareil permettant la certification de donnees par une pluralite d'utilisateurs utilisant une seule paire de cles Download PDF

Info

Publication number
WO2005055516A1
WO2005055516A1 PCT/EP2003/013409 EP0313409W WO2005055516A1 WO 2005055516 A1 WO2005055516 A1 WO 2005055516A1 EP 0313409 W EP0313409 W EP 0313409W WO 2005055516 A1 WO2005055516 A1 WO 2005055516A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
user
users
certified
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2003/013409
Other languages
English (en)
Inventor
Giosuè VITAGLIONE
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
TIM SpA
Original Assignee
Telecom Italia SpA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telecom Italia SpA filed Critical Telecom Italia SpA
Priority to PCT/EP2003/013409 priority Critical patent/WO2005055516A1/fr
Priority to AU2003288192A priority patent/AU2003288192A1/en
Publication of WO2005055516A1 publication Critical patent/WO2005055516A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention relates to a method and an apparatus for data certification by a plurality of different users, using a single cryptographic key pair.
  • the method and the apparatus of the invention allow different users to sign independently digital documents using a single key pair for all users and, at the same time, enable identification of the user who has signed the document.
  • non-repudiation service provides assurance of the origin of data in order to protect the receiver against false denial by the sender that the data has been sent.
  • an asymmetric cryptosystem which is a software and an equipment utilizing a transformation of the data to be sent according to an algorithm parameterised by a pair of numbers - the so called public and private keys.
  • each party in the communication has such a pair of key.
  • the public key is freely available to anyone who is willing to communicate to one of the participants, while the other key is kept private and protected, so that it is known only to its owner.
  • the keys of the pair are mathematically related, it is computationally infeasible to derive one key from the other, if the asymmetric cryptosystem has been properly designed and implemented.
  • a sender can use asymmetric encryption for sending confidential data to a receiver.
  • the data are encrypted by the sender using the receiver's public key, they are sent by the sender to the receiver, and decrypted by the receiver by using its private key. Confidentiality is achieved because a message encrypted with the public key of a specific participant can only be decrypted by the holder of the matching private key.
  • Asymmetric algorithm can also be used for achieving authenticity. If the sender sends certain data encrypted using its private key, anybody, including the receiver, can decrypt the data by using the proper public key, and can be sure that the data have been encrypted by the sender who owns the corresponding private key, and nobody else.
  • a commonly used mechanism for achieving authenticity with asymmetric cryptography is by means of digital signatures, which consists of a sequence of bytes computed by a signature algorithm over the original piece of data.
  • the signer To sign a document or any other piece of information, the signer first delimits precisely what is to be signed (this delimited information is termed “the message”) and then a hashing algorithm is applied to the message so that a "condensed representation" of the message is computed, called the message digest.
  • the message digest For a secure hashing algorithm, it is computationally infeasible to find a message which correspond to a given message digest, or to find two different messages which produce the same message digest.
  • This message digest is then the input of the signature algorithm, which performs an encryption, by using the private key of the signer, of the hash of the piece of data to sign.
  • the signer sends to a receiving party the message (not encrypted), the signature (which is the encryption of the hash), the sender's public key or a reference to it, and the name of the algorithms used for hashing and encrypting. With this information, the receiver can verify the validity of the signature by means of a verification algorithm.
  • the party who wants to verify the identity of the sender of the message computes again the hash over the message and the result is compared with the signature's decryption obtained by using the signer's public key. If the two match, the signature is valid and not corru pted.
  • the receiver can be sure about the integrity of the piece of data (nobody could modify it during the transmission as a modification would result in a different hash of the message and it would not correspond to the decryption of the signature) and about the identity of the signer (authenticity).
  • a certificate is an assertion of the validity of the link between the certificate's owner and his public key such that other users can be confident that the public key does indeed correspond to the owner who claims it as its own.
  • This certificate contains, for example, the name, family name, company name, etc. of the individual owning the key pair. Therefore, owning a key pair is equivalent to be able to prove one's own identity over multiple transactions. Either with or without the usage of such signed certificates, a signature can be computed over any piece of data by a software component having an asymmetric key pair.
  • symmetric ones can be used. In both cases the signer must secretly keep a key used by the signing algorithm. Symmetric algorithms are simpler and faster, but require that both parties share a secret key for signing/verifying. Asymmetric algorithms are preferred for signature because, as said, the signer never publicizes its private key: the verification is performed by using the signer's public key. This allows secure signature/verification between non- trusted parties.
  • a software component in the role of the aforementioned "user” can sign messages having for example the meaning of requests of access to be sent to an entity in the role of "service”. This "user” can also sign receipts containing assertions attesting that it has received an information or has used a certain service or resource.
  • Signed requests and receipts can be kept into an archive. If later a user/sender denies that it has accessed or made use of the service/receiver, the latter can show the signed message in order to prove what really happened. If the signature is valid, only the owner of the corresponding key pair could have signed it, thus the signed message acts as a non-repudiable proof of the interaction.
  • a group signature wherein with the term “group” a plurality of “users” is intended, allows members of the group to sign messages on behalf on the group maintaining at the same time anonymity, i.e. the signature shows that a member of the group has signed the message, but it does not reveal which member of the group has signed it.
  • the authentication server provides the signature server with a derived version of the information through a permanent secure tunnel between the servers, which is compared with the one supplied by the user. If they match, data received from the user are signed with the user's private key.
  • the signature server therefore stores as many private cryptographic keys as the number of the users which connect to this server and a private key is used to sign a message coming from a single user. Summary of the invention
  • the present invention relates to a method and an apparatus to certify data by a plurality of users using a single cryptographic key pair.
  • the certified data are generally, but not exclusively, intended to be transmitted afterwards to one or more receivers external to the plurality of users.
  • certified data are data which are certified to be originated by a specific user (and not by others) using information which are unique to the user.
  • the receiver to which the certified data are sent is therefore sure of the origin of the data itself.
  • the external receiver can be considered as a services' supplier, i.e. a component which performs predefined services when requested by means, for example, of a certified data. It is therefore important for the receiver to be sure of the "non-repudiability" of the certified data itself.
  • the single cryptographic key pair is stored in a certifying apparatus to which the users are connectable and which has the necessary software and hardware components to sign messages.
  • a user of the plurality Each time a user of the plurality has to send data to a receiver, it establishes a connection with the certifying apparatus and it supplies to it the original data to be sent and certified, and the authentication data.
  • the certifying apparatus signs a message containing both the original data to be sent and at least a portion of the authentication data unique to the user, therefore generating a signature which is "user dependent".
  • each user has different authentication data, thus signing at the certifying apparatus the same original data received by different users will produce different signatures because also a portion of the authentication data is contained therein. Appending this signature to the original data will result in a certified data which is unique to the user and at the same time it has been realized using a single key pair for a plurality of users.
  • the certified data can be verified by the receiver using a simple verification process.
  • the certified data contains the original data to be certified, the above-written signature and the portion of the authentication data used in computing the signature.
  • the external receiver receives the certified data, it decrypts the digital signature using the public key of said cryptographic key pair and obtains a certain value, in particular the hash value of the message containing the original data and the portion of the authentication data.
  • the external receiver can calculate a second hash value of a second message comprising the original data and the portion of the authentication data contained in the certified data. If the two hash values are equal, then the verification is positive.
  • the certifying apparatus before signing the data to be sent, authenticates the identity of the user requesting the certifying operations.
  • This authentication is performed using the authentication data, which preferably comprise a secret authentication data which are known only to the user and to the certifying apparatus, and a public identification data which are the portion of the authentication data included in the message on which the signature is made.
  • the public identification data are comprised in the certified data sent to the receiver, to allow the receiver to verify the signature.
  • the latter verifies that the secret authentication data, or a value dependent of them, and the public identification data correspond to the user requesting the data certification having the given public identification data, for example comparing the data supplied by the user with a list of such data for all users stored in a memory of the certifying apparatus.
  • such secret authentication data are a password and the public identification data are a name of the component or an user identification number.
  • the exact procedure of the authentication process is not fundamental for the invention: it is preferable that an authentication of the user which requests the certification of data is performed, the authentication having a given procedure, in particular if the connections between users and certifying apparatus are not secure. Addition or removal of users, which may be of interest in practical cases, is extremely simple: if a new user is added, new authentication data are generated for the new user and added to the list stored in the certifying apparatus; if a old user is removed, its authentication data are deleted from the mentioned list.
  • the signing step of the data sent by the user to the certifying apparatus is computed preferably using standard algorithms: preferably a hash value of a message including the original data to be sent and the public identification data is calculated using a well-known hashing algorithm and then this hash value is encrypted using a standard encrypting algorithm and the private key stored in the certifying apparatus. Thanks to the teaching of the invention, also devices such as SIM or Smart cards can handle several users without a computational overwork nor a significantly higher memory consumption, keeping a similar level of security in comparison with a traditional systems having a single key pair per user. Brief description of the drawings
  • - fig. 1 depicts a schematic diagram of the apparatus showing the connections between the various components according to the present invention
  • - fig. 2 shows a schematic synthetic diagram of the usage of the method according to the invention
  • - fig. 3a depicts a schematic diagram of a phase of the method of fig. 2
  • - fig. 3b depicts a schematic diagram of a further phase of the method of fig. 2
  • - fig. 4 depicts a schematic diagram of an additional phase of the method of fig. 2; - fig.
  • FIG. 5 shows a more detailed diagram of a preferred embodiment of the apparatus of fig. 1; - fig. 6 shows a more detailed diag ram of a second preferred embodiment of the apparatus of fig. 1; - fig. 7 shows a more detailed diagram of a third preferred embodiment of the apparatus of fig. 1.
  • Preferred embodiments of the invention With initial reference to figure 1, 1 indicates an apparatus for data certification by a plurality of users using a single key pair according to the invention. To be more specific, the apparatus 1 may include personal computers, mobile phones, PDAs (Personal Digital Assistant), laptops, televisions, set-top-boxes, desktops, servers, etc., i.e. digital devices which may have connections and data exchange through a network to other similar devices.
  • PDAs Personal Digital Assistant
  • the apparatus 1 comprises a plurality of "users", all indicated with 2, and a certifying apparatus 3.
  • users it is meant software components, for example objects, active components, agents, procedures, applications, etc. Users could (but it is not required) be associated to individuals or to different roles played by a single or more individuals connected to digital devices on which they input commands to perform the operations outlined in the following .
  • the users 2 and certifying apparatus 3 may be all resident in the same physical unit, they can be all remote from each other, or any combination of the two is allowed (i.e. some users and the certifying apparatus 3 are in a single unit, while some other users are in physically separated units), the teaching of the present invention remaining unchanged.
  • each user 2 is connected to the certifying apparatus 3 through a communication channel 4, in particular a secure channel so that no external entity may intercept, read or modify the data exchanged, and it comprises all software required to communicate effectively with the certifying apparatus 3.
  • the software needed may be downloaded from an external device or from the certifying apparatus 3 only for the time-interval of connection.
  • Users 2 and certifying apparatus 3 could be within a Local Area Network (LAN) or comprised in a Wide Area Network (WAN). Secure communication techniques such as SSL or TLS can be used in communications among these functional blocks, or, if they all reside in the same physical unit, a trusted underlying operating system and hardware may be employed.
  • the certifying apparatus 3 comprises a signing device 8 and an authentication device 5.
  • the signing device 8 includes a cryptographic key pair 6, stored in a memory (not shown) known per se, preferably an asymmetric key pair comprising a public and a private key K, or at least a private key of a given pair, a hashing 9 and an encrypting algorithm 10, and the software and hardware components necessary to properly perform the calculations and data storage which are required to operate the above mentioned algorithms which will be better outlined below.
  • the key pair which is associated to all users 2 may be stored in an advanced SIM or in a Smart-Card, however it can also be stored on digital on-board memory or on other storage solutions.
  • all terms such as “computing”, “calculating”, “determining”, “obtaining” and the like, refer to the action and process of an electronic computing system that transforms data represented by physical electronic quantities within the system registers and memories into other physical data. The procedures presented are not intended to be related to a particular computing system or programming language.
  • the users 2 are also connected to external components 7, for example through the Internet or other fixed or mobile communication networks, with which they may exchange data.
  • the connection to external components 7 is schematically depicted in Fig. 2 where only an external component is shown.
  • the communication between the user 2 and the external component 7 is not inherently secure and therefore a certification of the authenticity of the user sending the data is needed.
  • the sender When one user 2 sends data to an external component 7, it will be denoted as “the sender”, whilst the external component 7 receiving the data will be called “the receiver”.
  • the external components 7 have the role of "services' suppliers", i.e.
  • Authentication data unique to each user 2 are generated and associated to each user of the plurality, for example they are stored in a memory accessible only to the specific user. These data preferably comprise public identification data P2 and secret authentication data SA unique for each user 2, which are used by the certifying apparatus 3 for the data signature and preferably also for the identification of the user 2, as it will be explained below. These data are also known by the certifying apparatus 3, i.e. they are stored and accessible in a memory of the authentication device 5.
  • the public identification data P2 can be for example the name of the user 2, its identification number or similar, and they can be publicly disseminated.
  • the secret authentication data are known only to the user 2 and the certifying apparatus 3.
  • the secret authentication data are passwords such as a string of bytes.
  • the above-described apparatus 1 operates according to the method of the present invention.
  • the user 2 selects the external component 7 to which it wants to send original data PI, which are a delimited piece of information and it might be considered to be a bit string, the length of the message being the number of bits in the string.
  • the user 2 establishes a connection, through the communication channel 4, with the certifying apparatus 3 to which, according to a characteristic of the present invention, it preferably authenticates itself.
  • the authentication is performed via the authentication device 5 in which, as previously said, the secret authentication data SA relative to all users 2 empowered to send messages are stored, for example in a list.
  • the list comprises for each user 2 its authentication data (P2, SA), which may be in the format, in case of a plurality of n users 2, (P2 ⁇ , SAi; P2 2 , SA 2 ; P2 3 , SA 3 ;....P2 n , SA n ) where the subscript indicates the user (see fig. 3b).
  • This authorization step can be implemented in several different ways.
  • the secret authentication data SA can be a password, preferably randomly generated and/or frequently changed to enhance security of the apparatus 1, and the public identification data P2 a user ID.
  • the user 2 connects to the certifying apparatus 3, it sends the password and the public identification data P2 to the certifying apparatus 3 where they are compared with the corresponding password and public identification data stored in the authentication list 5. If the data are the same, then the user 2 is positively authenticated.
  • Another example is given by the transmission of a random number and a hash of the password concatenated with such random number, instead of transmitting only the password, and of the public identification data P2.
  • the certifying apparatus 3 then calculates the hash value of the secret authentication data SA stored in the list of the authentication device 5 corresponding to the sent public identification data P2 and compares the result with the sent hash.
  • the certifying apparatus 3 reads the public identification data and the secret authentication data directly from the user 2.
  • the authentication may even be effected through a separate device (non shown) which sends the secret authentication data to the user 2 and the certifying apparatus 3, which compares the data received.
  • Other authentication methods are also conceivable .
  • the user 2 is authenticated, or, said in other words, the authentication is positive.
  • a single string (public and secret data connected) may be supplied to the certifying apparatus 3.
  • the connections between the users 2 and the certifying apparatus 3 are considered to be secure, such as if authentication is granted by the underline operating system, no explicit user authentication is needed, so the authentication step is omitted.
  • the user 2 simply supplies the public identification data P2 and the data to be signed to the certifying apparatus 3, which uses them in the signature calculation, which will be described below.
  • the further step of the method of the invention performed only if the outcome of the user's 2 authentication is positive, consists in a data transfer from the user 2 to the certifying apparatus 3 of the original data PI to be sent to the external component 7 and to be certified.
  • the certifying apparatus 3 receives the original data PI to be certified and, as schematically depicted in fig. 3a, activates the signing device 8 in which, by means of the hashing algorithm 9, the encrypting algorithm 10 and the key pair, in particular of the private key K, a digital signature of a message containing the original data PI and a portion of the authentication data is computed.
  • the signing step preferably comprises a hashing and an encrypting step.
  • the hashing algorithm 9 computes a hash value H of the string (PI, P2). Therefore, in this example the portion of the authentication data (P2, SA) used in computing the signature is P2.
  • the hash value of a given message is unique, for all practical purpose, to the message on which it is computed. Generally, the hash value of a message is a string of 128 or more bits.
  • any hashing algorithm can be used, for example typical algorithms are MD4 (Message Digest 4), MD5 (Message Digest 5), SHA-1 (Secure Hash Algorithm 1), RIPEMD-160 (RIPE Message Digest 160 b), etc.
  • the hashing algorithm 9 may be stored inside the user 2 (i.e. in a memory of the user), instead of inside the signing device 8. In this case, the hash value H calculated through the hashing algorithm 9 is appended to the original data PI and sent with it to the certifying apparatus 3.
  • the signing device's 8 software utilising the encrypting algorithm 10 and the private key K stored in the signing device 8 then transforms the hash value of the string (PI, P2) into a digital signature Sl: through the key K the hash value of (P1,P2) is encrypted.
  • the key pair used to compute the digital signature Sl is the same for all users 2 of the plurality requesting a data certification.
  • the signing device 8 only encrypts it.
  • the certifying apparatus 3 computes a certified data R, given by a sequence of the following fields: by defining S2 an identifier of the hashing and encrypting algorithms 9, 10; S3 the public key corresponding to the private key K of the key pair used for the encryption; S4 a certifying apparatus identifier (it can also be omitted), then the certified data R is equal to the string (PI, Sl, S2, S3, S4, P2).
  • the S3 field may contain, instead of the public key, a hash value of the public key obtained by a hashing algorithm or an unique identifier of the public key. In this way, the field S3 results shorter. If in S3 the hash value of the public key is contained, then the external component 7 connects to the server in which the public keys are stored and retrieves the public key that corresponds to the certifying apparatus 3 of interest (known because of the certifying apparatus identifier S4 contained in the certified data R). The external component 7 then calculates the hash value of such retrieved public key and compares it to the hash value attached in S3. If the two are the same, then the fact that the certified data R comes from that specific certifying apparatus 3 owning that public key is verified.
  • a cache memory may be added to the external component 7 so that a list of public keys and their corresponding hash, which have been received and calculated in the past transactions, is kept in order to avoid frequent connections to the server directory containing public keys.
  • the certified data R are then sent by the certifying apparatus 3 to the user 2 which has initially sent the original data PI and the latter 2 sends the certified data R to the external component 7 of interest.
  • the external component 7 can easily verify that the data R has been sent by the indicated user 2. As shown schematically in fig. 4, the verification includes the following steps: the external component 7 decrypts the signature Sl, by using the public key S3 contained in the certified data R or already available to the external component 7 and by the encrypting algorithm identified in S2. The result of the decryption is the hash value H of the string formed by the original data PI and the public identification data P2.
  • PI and P2 are also available to the external component 7 because they have been sent to it (they are included in the certified data R) and thus the component 7 calculates the hash value H c of the of the string (P1,P2), using the hashing algorithm given in S2.
  • the two hash values H and H c are thus compared: if the two are not equal then the verification is negative and the certified data R are considered not valid. Otherwise, the verification is positive and the external component 7 which has received the certifying data R can securely believe that the user 2 recognized with the public identification data P2 by the certifying apparatus 3 storing the key pair with public key S3, has really sent and signed the original data PI.
  • the method of the invention comprises the steps respectively of adding or removing authentication data from the list of the certifying apparatus 3 (see fig. 3b).
  • the certifying apparatus 3 see fig. 3b.
  • new authentication data are generated for the new user and added to the list stored in the certifying apparatus 3; if a old user is removed, its authentication data are deleted from the mentioned list.
  • any external component 7 may also certify a receipt R' (schematically shown in fig. 2) which is sent to the user 2 which has asked for the service using the certified data R, confirming that it has received the request for a service.
  • a receipt R' (schematically shown in fig. 2) which is sent to the user 2 which has asked for the service using the certified data R, confirming that it has received the request for a service.
  • the apparatus and the method according to the invention permits the external component 7 to securely assign responsibility of actions to a specific user 2 of the plurality of users present in the apparatus 1.
  • a certain user can not pretend to be a different user having different capabilities because it does not know the different user's secret authentication data. Additionally, it may not modify the original data PI because in this way the hash value H would change and during the verification process the two calculated hashes (the received one and the hash calculated by the external component 7) would not coincide.
  • the secret authentication data SA are preferably not included in the computation of the digital signature, the secret authentication data remaining in the certifying apparatus and being known only to the user. This improves protection of the secret authentication data.
  • teaching of the invention is independent of the algorithms used for hashing and encrypting, and from the lengths of the keys of the key pair used. The level of security achieved by the apparatus and the method of the invention will be determined by the algorithms selected and by the keys length, however the method does not lower in any way the overall level of security achieved when compared to a traditional system in which for each user 2 a specific key pair is used, if the connections among the users 2 and the certifying apparatus 3, and among the components of the certifying apparatus 3, are properly protected against external intrusion.
  • An additional advantage consists in the fact that the algorithms used for the digital signature may be standard, therefore reducing the complexity of calculus.
  • the present invention is also applicable to an apparatus which contains more than one key pair.
  • the users are divided in different groups, for example in a first plurality of users and in a second plurality of users, each of which uses a different key pair to sign data PI. Differentiated groups of users on a single apparatus are therefore developed.
  • Example 1
  • the apparatus shown schematically in fig. 5, comprises a mobile telephone with a SIM card 100 - which includes the certifying apparatus 3 - containing a single RSA key pair and an on-board cryptographic engine capable to perform hashing and asymmetric encryption.
  • Software components which are the users 2, are installed in the SIM card 100, and are able to connect (through a mobile communication channel) and interact with remote on line-services, which are hereby considered the external components 7 (in fig. 5 only an external component 7 is shown).
  • Some additional users 2 may be resident also in the mobile phone outside the SIM card and may connect with the certifying apparatus 3. Possible services of interest are flight and hotel reservations. The messages exchanged between the users 2 and the services 7 therefore may have the meaning of requests of a transaction.
  • the owner of the mobile telephone establishes his favourite policy with regard to the possible allowed accesses to services by the different users 2. As a possible example, he may trust certain users 2 which he has already tested and therefore he gives them permission to access any services and make transactions on his behalf, or he may not trust one (or more) of them completely and therefore gives it the permission to make transaction up to a certain amount of money.
  • This policy is known by the external components 7 in the following possible alternative ways.
  • the owner of the mobile phone might have accessed the web-site of the service in issue and set an "access control list", i.e. a list of the users present in his mobile phone and their permissions. He may alternatively have signed "delegation certificates" containing the above mentioned list and have sent them to the service from the mobile telephone, for example in the form of an SMS (Short Message Service) or by means of a GPRS transmission.
  • SMS Short Message Service
  • the users 2 installed in the mobile telephone might be "book 8. pay” software or software that collect information in Internet in order to optimise the results in respect of the owner preferences.
  • Each users 2 may send a certified data R to an external component 7 using the single key pair stored in the SIM memory.
  • the external component 7, verifying the certified data R using the method for verification outlined above may establish the identity of the user 2 and, by looking up in the list given to the component 7 by the mobile phone owner, if it is allowed to make the transaction requested. Consequently, the component 7 may accept/deny access to the requested service.
  • Each user is therefore forced to take responsibility of its actions even if the SIM 100, which has a relatively limited memory, stores a single cryptographic key pair only.
  • the apparatus comprises a UMTS (Universal Mobile Telecommunication System) mobile terminal 200 in which several users 2 and the certifying apparatus 3 are installed.
  • the certifying apparatus 3 contains a single asymmetric RSA key pair.
  • the mobile terminal 200 has its own IMPI (International Mobile Private User Identity), while each user 2 has its own IMPU (International Mobile Public User Identity), each IMPU being different to the others owned by different users.
  • Each IMPU is associated to a secret string, which is known only to the certifying apparatus 3, which has stored in the authentication device 5 a list of all secret strings associated with the IMPU identifying the users, and to the user 2 which owns the string itself.
  • each user 2 is allowed to communicate with one or more of the entertainment services 7.
  • the data the user 2 is willing to sent to a chosen entertainment service 7 is certified in the following way.
  • the user 2 in order to authenticate itself, sends to the certifying apparatus 3 its IMPU and the shared secret string above defined over a secure channel 4.
  • the certifying apparatus 3 compares the given secret string with the secret strings stored in the list memorized in the authentication device 5 and verify if the received secret string corresponds to the user having the given IMPU. Once the authentication is positively passed, the user 2 sends to the certifying apparatus 3 the original data PI that are needed to be signed and certified.
  • the sequence R is then sent to the user 2 as the certification of the previously forwarded data PI.
  • the user 2 then sends the certified data R, for example containing a request for a service, to the chosen entertainment service 7. This service can securely verify that the received request has been signed by the indicated user and use such information for authorization, profiling, accounting billing and for other related activities.
  • the verification consists on the following steps performed on the received certified data R.
  • the service using appropriated software/hardware, calculates the SHA-1 hash value of (PI, P2) included in R and then decrypts the signature Sl with the public key S3 using the algorithm included in S4. It then compares the result of the decryption with the calculated hash value. If the two are not equal, then the verification is negative and the signature is considered not valid. Otherwise the verification is positive and the service 7 that received the data R can securely believe that the user recognized with the public identification data P2 by the certifying apparatus 3 owning the key pair with public key S3 has really signed the original data PI.
  • the owner of the smart- phone/PC 300 also uses additional devices, all called 400 in fig. 6, which might comprise other PCs, laptop computers, PDAs, tablet-pc, etc, in some of which additional users 2 are located. All these devices 300 and 400, in particular the users 2, can communicate among them and in particular with the smart- phone/PC 300 by means of a wired network, such as Ethernet or serial connections, or wireless network, for example Bluetooth, Wi-Fi and similar.
  • a wired network such as Ethernet or serial connections
  • wireless network for example Bluetooth, Wi-Fi and similar.
  • a local identity ID and a secret string are associated, corresponding respectively to the public identification data P2 and a secret authentication data SA.
  • the secret string is known only to the user to which is associated and to the certifying apparatus 3, in which all secret strings and corresponding IDs are tabulated in a list.
  • Each user 2 may send and/or receive data to/from the external component 7, data that should be certified by the certifying apparatus 3.
  • the certification is performed as follows.
  • H (message + secret string).
  • the user 2 then sends the hash H, the original data PI and its ID to the certifying apparatus 3.
  • the signature Sl is calculated using the elliptic curve key pair (ECC), in particular encrypting with the private key K of the pair the hash of the sequence (PI, P2), wherein PI is the original data received and P2 is the local user identifier ID.
  • the hash is preferably calculated using the SHA-1 hashing algorithm.
  • the certifying apparatus 3 sends the certified R to the user 2 identified by the ID, which sends it in turn to the selected external component 7 whose services are of interest.
  • the component 7 can securely verify that the received certified request R has been signed by the identified user operating as already exemplified.
  • the component 7 calculates the SHA-1 hash of (PI, P2) and decrypts the signature Sl using the public key S3 and the algorithm indicated in S2 (elliptic curve algorithm). Comparing the two obtained results, if they are not equal the verification is negative and the signature is considered not valid. Otherwise, the verification is positive and the component 7 that received R can surely believe that the user 2 recognized with the public identification data P2 by the certifying apparatus 3 owning the key pair with public key S3, is really the sender of the certified data R.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente invention concerne un procédé permettant une certification de données (P1) par une pluralité d'utilisateurs (2) utilisant une seule paire de clés, les utilisateurs (2) pouvant se connecter à un appareil certificateur (3). A cet effet, on commence par générer une paire de clés cryptographiques clé publique et clé privée, la clé privée (K) au moins étant accessible audit appareil certificateur (3). On associe à chacun des utilisateurs (2) de la pluralité des données d'authentification (SA, P2) uniques pour l'utilisateur. On établit une connexion (4) entre l'un des différents utilisateurs (2) et l'appareil certificateur (3). On reçoit, en provenance de l'utilisateur (2), les données (P1) à faire certifier par l'appareil certificateur (3). On réalise ensuite une signature numérique d'un message (P1, P2) comprenant les données (P1) à certifier et une partie des données d'authentification (SA; P2). On utilise pour cela, pour chacun des différents utilisateurs (2) connectés, la clé privée (K) de la paire de clés accessibles à l'appareil certificateur (3), générant ainsi une signature numérique (S1). L'invention concerne également un appareil (1) permettant la certification de données (P1) par une pluralité d'utilisateurs (2) utilisant une unique paire de clés.
PCT/EP2003/013409 2003-11-28 2003-11-28 Procede et appareil permettant la certification de donnees par une pluralite d'utilisateurs utilisant une seule paire de cles Ceased WO2005055516A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/EP2003/013409 WO2005055516A1 (fr) 2003-11-28 2003-11-28 Procede et appareil permettant la certification de donnees par une pluralite d'utilisateurs utilisant une seule paire de cles
AU2003288192A AU2003288192A1 (en) 2003-11-28 2003-11-28 Method and apparatus for data certification by a plurality of users using a single key pair

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2003/013409 WO2005055516A1 (fr) 2003-11-28 2003-11-28 Procede et appareil permettant la certification de donnees par une pluralite d'utilisateurs utilisant une seule paire de cles

Publications (1)

Publication Number Publication Date
WO2005055516A1 true WO2005055516A1 (fr) 2005-06-16

Family

ID=34639224

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2003/013409 Ceased WO2005055516A1 (fr) 2003-11-28 2003-11-28 Procede et appareil permettant la certification de donnees par une pluralite d'utilisateurs utilisant une seule paire de cles

Country Status (2)

Country Link
AU (1) AU2003288192A1 (fr)
WO (1) WO2005055516A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7958364B2 (en) * 2007-08-09 2011-06-07 Hong Fu Jin Precision Industry (Shenzhen) Co., Ltd. System and method for digitally signing electronic documents
CN117571305A (zh) * 2024-01-17 2024-02-20 长沙润伟机电科技有限责任公司 一种驱动跑合试验台控制系统

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020099938A1 (en) * 2001-01-23 2002-07-25 Spitz Charles F. Method and system for obtaining digital signatures

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020099938A1 (en) * 2001-01-23 2002-07-25 Spitz Charles F. Method and system for obtaining digital signatures

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MENEZES,VANSTONE,OORSCHOT: "Handbook of Applied Cryptography", 1997, CRC PRESS LLC, USA, XP002285930 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7958364B2 (en) * 2007-08-09 2011-06-07 Hong Fu Jin Precision Industry (Shenzhen) Co., Ltd. System and method for digitally signing electronic documents
CN117571305A (zh) * 2024-01-17 2024-02-20 长沙润伟机电科技有限责任公司 一种驱动跑合试验台控制系统
CN117571305B (zh) * 2024-01-17 2024-04-16 长沙润伟机电科技有限责任公司 一种驱动跑合试验台控制系统

Also Published As

Publication number Publication date
AU2003288192A1 (en) 2005-06-24

Similar Documents

Publication Publication Date Title
US7689828B2 (en) System and method for implementing digital signature using one time private keys
US6993652B2 (en) Method and system for providing client privacy when requesting content from a public server
US7610617B2 (en) Authentication system for networked computer applications
US7688975B2 (en) Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
US8306228B2 (en) Universal secure messaging for cryptographic modules
KR101132148B1 (ko) 키 관리 프로토콜에 권한부여의 클라이언트 승인을 제공하기 위한 시스템 및 방법
US20020176583A1 (en) Method and token for registering users of a public-key infrastructure and registration system
EP1383265A1 (fr) Procédé de génération de signatures par procuration (proxy)
EP3948592A1 (fr) Appariement de jeton d'autorisation de gestion de droits numériques
US7266705B2 (en) Secure transmission of data within a distributed computer system
US20020018570A1 (en) System and method for secure comparison of a common secret of communicating devices
US7360238B2 (en) Method and system for authentication of a user
JPH10336172A (ja) 電子認証用公開鍵の管理方法
EP1263164B1 (fr) Procédé et jeton pour enregistrer des utilisateurs d'une infrastructure à clé publique et système d'enregistrement
CN115580403B (zh) 一种基于pki的计算节点接入控制方法
WO2005055516A1 (fr) Procede et appareil permettant la certification de donnees par une pluralite d'utilisateurs utilisant une seule paire de cles
KR20030061558A (ko) 가상개인키를 이용한 사용자 인증방법
Bochmann et al. A secure authentication infrastructure for mobile users

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP